`Looking for assistance with a search -
| metadata type=hosts | rename lastTime as "Last Event"| search host=**** | fieldformat "Last Event"=strftime('Last Event', "%c") | table host "Last Event" | rename host as Host
This search currently provides host and last reported event - I'm hoping to add one more column that essentially gives me a "Host Reporting" or "Host Not Reporting" based on last event time. "If "Last Event" is >10 minutes, show as "Host Not Reporting"
Any help would be appreciated.
↧